I yearn for the day to receive a good phishing email

Every day I receive between 50 and 100 spam emails. I know this because on my various accounts I do a manual check on the numbers in there, just in case one that legitimately offers me a bargain has slipped through by accident. But more often than not they end up in my inbox. Most are of the same type, you know the ones – “Your xyz bank account has been suspended due to irregular activity and you need to click here to re-enter your username and password”, or “I work for abc bank and our customer General Bob has died and we have no one to leave the money to, so do you want it?”

Both types simply want your bank details so that they can siphon off your hard earned cash. Why do they continue to do this? Because the Return of Investment is huge. Even if only .1% of people the emails are sent to falls for the scam, it will have been worth it. It costs virtually nothing to set up these scams and despite the advanced monitoring of the genuine banks and financial institutions, there will always be a small window when fraudsters can perpetrate these scams.

But all of them are let down by silly mistakes in their approach. The wording on their emails, punctuation, spelling mistakes, the use of unusually familiar words. In the parlance of body language it is said that a liar gives themselves away over 90% of the time not by any visual clue but by the words they utter. My favourite example of this landed in my inbox yesterday.

It was an email from the FBI. It was addressed correctly, even carrying an official looking letterhead. The content was also unique. Apparently my email address had been found on a list of addresses used by known fraudsters in Africa. The criminals had been caught and their assets seized and a court in Lagos had made the decision to divide up the money to all those on the seized list. I was due to receive an ATM card loaded with $1.5 million. Obviously I didn’t fall for this ruse, but up to a point the story was quite believable. And then they went and ruined it. This email from the FBI started a paragraph with the words “so my dear”. I love a good film, and must have seen hundreds that feature the FBI in, yet not once in the fictional world of Hollywood, have I ever heard an FBI agent address someone as “my dear”.

Last year there was another phishing attack used that pretended to be from the Inland Revenue. It appears that you were due a tax refund and the link used took you to a form that was impressive in terms of authenticity. It asked the exact questions you would see on a tax return and the killer question at the end was to confirm your bank account details so the overpayment would be sent to you (which is exactly what the Inland Revenue ask you on the self-assessment form). But what gave this away was if you hovered over the submit button you saw that this was a simple form-to-email and it was going to a hotmail address.

We still hear of frightening stories of innocent people being duped into these scams. The irony is that we are bombarded by junk email all day long, and some of it contains useful information as to how to avoid being tricked. Financial institutions need to do more to educate their customers than adding to the problem by just emailing them a warning.
Domain Name companies are also doing their bit. Proactive scanning of recently registered domain names to look for the signs of a potential phishing scam is good housekeeping – after all what possible good use would someone have for l1oydsbank.com?

Some companies will do all they can to protect its brand by registering these common mistypes but is the burden purely on them? What about the registries actually quarantining clear phishing domain names so that they can never be registered again?
Security software vendors are trying to ease the issue as well. The increasing technology of SSL (Secure Socket Layer) means that even the most naïve internet user can very easily tell if a website they are visiting is legitimate thanks to the padlock symbol and the colour coding of their browser bar (green is good!).

However, despite enhanced security measures, governance by the domain name companies and awareness campaigns by those organisations who are sinned against, cyber crime will continue to haunt us simply because people want to believe that there really is a pot of gold left to them by a good Samaritan waiting for them in an offshore bank account.
Written by Stuart Fuller, Director of Communications Group NBT